Why annual cyber awareness training is no longer enough

For a long time, many organisations treated annual training as enough to “cover” cyber awareness. A campaign is launched, employees complete a module, an export is saved, and the topic appears closed until the next cycle.

That logic is becoming harder to defend. Not because annual training is useless, but because it no longer reflects the operational reality of most organisations: staff turnover, changing ways of working, more convincing phishing attempts, expanding remote access, more precise client expectations and a growing need for evidence.

The real issue is therefore not whether a training module exists somewhere in the year. The real issue is whether the organisation can run awareness as a continuous programme, with defined populations, reminders, progression tracking, understandable results and usable evidence when an audit, a client or management asks for proof.

Key takeaway An awareness campaign is defensible only if the organisation can explain who was covered, when, with what follow-up and what evidence was retained.

Why the “once a year” model reaches its limits quickly

Annual training still has value. It creates a common baseline, reinforces core expectations and gives the organisation a shared point in the calendar. The problem begins when it becomes the only answer.

People change. New joiners arrive, contractors are granted access, managers move roles, employees leave. A once-a-year snapshot does not reflect that movement.

Risks also evolve. The themes that need attention are not fixed: phishing, password hygiene, document handling, mobility, escalation habits, protection of sensitive information, behaviour expectations by role. Waiting twelve months to reactivate attention across all of this is not always realistic.

Evidence expectations evolve as well. In a discussion with a client, an auditor or senior management, it may not be enough to say that training was offered. Teams may need to show who was targeted, what completion level was reached, how reminders were handled and how awareness fits into a broader governance effort.

That means annual training may remain part of the answer, but it should not be the whole answer.

Awareness has to be managed as a programme

An awareness programme starts from a simple idea: not everyone needs the same cadence, the same exposure or the same reminder model.

Start by defining useful populations. Depending on context, this might include:

• the full employee base;
• new joiners;
• managers;
• roles exposed to specific types of risk;
• groups that require follow-up or catch-up.

This segmentation does not need to become complicated. It needs to remain readable and justifiable. The aim is to avoid a blurred model where nobody can explain who received what, or why.

Then combine formats. A yearly baseline may still make sense, but it often works better when complemented by shorter campaigns, role-sensitive refreshers or onboarding sequences. Awareness then becomes a managed routine rather than a single event.

Finally, look at tracking. A programme does not truly exist if nobody is watching completion, reminders, persistent gaps or differences between teams.

What auditors and clients increasingly look for

Expectations vary by context, but the direction is clear: stakeholders increasingly look for evidence of management, not only a statement of intent.

In other words, the question is not simply “did you train your people?” It becomes:

• which population was covered;
• through which campaign or course;
• on what timeline;
• with what follow-up;
• and with what retained evidence.

An organisation that only keeps a minimal annual export may be able to answer a basic question. As soon as the discussion goes deeper, however, that evidence becomes thin. By contrast, even a modest programme can look much stronger when it is clearly managed.

At that point the organisation can show progress, explain delays, evidence reminders, identify incomplete groups and connect the whole thing to a broader cyber governance effort.

What makes an awareness programme defensible

Four dimensions matter in practice.

1. The target population

Every campaign or training assignment should be tied to a defined population. Without that, a completion export stays ambiguous. Nobody can tell whether the right people were included or whether the perimeter changed along the way.

2. The cadence

A defensible programme is not defined only by a launch date. It shows a rhythm: annual baseline, onboarding steps, targeted reminders, follow-up deadlines and periodic review.

3. Evidence of follow-through

It should be possible to show that actions were not only published but actually monitored. Reminders, completion rates, persistent gaps and consolidated status reports all matter here.

4. A link to governance

Awareness gains credibility when it is not treated as a separate island. It should sit inside a wider model of responsibilities, reporting, priorities and, when relevant, corrective action.

What evidence you should actually be able to produce

Keeping evidence does not mean saving everything without structure. What matters is retaining records that remain readable and useful.

In practice, the important pieces are often:

• the definition or list of the targeted population;
• the campaign or training assigned;
• the expected completion period;
• completion or progress exports;
• reminders that were sent;
• the date of consolidation or review;
• where relevant, the record of a catch-up action or management decision.

These elements allow the organisation to tell a management story. Without them, teams often have only a raw output that is difficult to interpret later.

Avoid	Produce
One annual send-out without follow-up	A campaign with population and deadline
An isolated global rate	Exports connected to a defined perimeter
Informal reminders	A clear record of reminders and decisions

What an e-learning platform changes in practice

An effective platform is not valuable only because it delivers content. It is valuable because it supports management.

When teams can assign training, follow defined populations, send reminders, consolidate indicators and export understandable evidence, awareness becomes more robust. That framework matters even more when several teams contribute, when evidence requests are recurring, or when management wants clearer visibility over execution.

In that sense, e-learning is not separate from cyber maturity. It becomes one documented part of a wider operational model.

Frequent mistakes to avoid

Three mistakes come up regularly:

• measuring launch rather than actual completion;
• treating all audiences in exactly the same way;
• keeping exports without context.

A published campaign is not the same thing as a managed campaign. And an export found six months later says very little if nobody remembers the population, period or reminder cycle behind it.

Conclusion

Annual training still matters, but it is no longer enough on its own to demonstrate a well-managed cyber awareness approach. What makes the difference is the ability to show who was trained, on what, with which follow-up, which reminders and which evidence.

The Torus E-learning page shows how awareness can be connected to tracking and evidence rather than treated as a one-off task.